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1 Substructural logic and partial correctness 
Dexter Kozen, Jerzy Tiuryn 

July 2003 ACM Transactions on Computational Logic (TOCL), Volume 4 issue 3 
Publisher: ACM Press 

Full text available: ^g) pdfd 99.74 KB) Additional Information: full citation , abstract , references , index terms 

We formulate a noncommutative sequent calculus for partial correctness that subsumes 
propositional Hoare Logic. Partial correctness assertions are represented by intuitionistic 
linear implication. We prove soundness and completeness over relational and trace 
models. As a corollary, we obtain a complete sequent calculus for inclusion and 
equivalence of regular expressions. 

Keywords: Dynamic logic, Hoare logic, Kleene algebra, Kleene algebra with tests, linear 
logic, sequent calculus, specification, substructural logic 



High level specification and design: Achieving maximum performance: a method for 
the verification of interlocked pipeline control logic 
Kerstin Eder, Geoff Barrett 

June 2002 Proceedings of the 39th conference on Design automation DAC '02 
Publisher: ACM Press 

Full text available:^) pdf(82.28 KB) Additional Information: full citation , abstract , references , index terms 

Getting the interlock logic which controls pipeline flow correct is an important prerequisite 
for maximising pipeline performance. Unnecessary pipeline stalls can only be eliminated 
when they can be distinguished from those stalls which are necessary to preserve 
functional correctness. Typically, designers know when these necessary stalls should 
occur. We propose a method for deriving a maximum pipeline performance specification 
from a complete functional specification of the pipeline control log ... 



Keywords: interlock logic, pipeline stall, verification 



3 Processor verification using efficient reductions of the logic of uninterpreted functions Q 
§> to propositional logic 

" Randal E. Bryant, Steven German, Miroslav N. Velev 

January 2001 ACM Transactions on Computational Logic (TOCL), volume 2 issue l 
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Publisher: ACM Press 

Full text available* fi9 pdf(31 9 93 KB) Add ' tional Information: full citation , abstract , references , citings, index 
™ terms 

The logic of Equality with Uninterpreted Functions (EUF) provides a means of abstracting 
the manipulation of data by a processor when verifying the correctness of its control logic. 
By reducing formulas in this logic to prepositional formulas, we can apply Boolean 
methods such as ordered Binary Decision Diagrams (BDDs) and Boolean satisfiability 
checkers to perform the verification. We can exploit characteristics of the formulas 
describing the verification conditions to greatly simplfy the ... 

Keywords: decision procedures, processor verfication, uninterpreted functions 



4 Automatic generation and verification of sufficient correctness p ro perties for 
synchronous processors 

Filip Van Aelten, Stan Y. Liao, Jonathan Allen, Srinivas Devadas 

November 1992 Proceedings of the 1992 IEEE/ACM international conference on 

Computer-aided design ICCAD '92 
Publisher: IEEE Computer Society Press 

Full text available: fiCl pdf(531.64 KB) Additional Information: full citation , references , citings , index terms 



Proving correctness of compiler optimizations by tem poral logic 
David Lacey, Neil D. Jones, Eric Van Wyk, Carl Christian Frederiksen 

January 2002 ACM SIGPLAN Notices , Proceedings of the 29th ACM SIGPLAN-SIGACT 
symposium on Principles of programming languages POPL '02, Volume 37 
Issue 1 
Publisher: ACM Press 

Full text available:^) pdf(263.36 KB) Additional Information: full citation , abstract , references , citings 

Many classical compiler optimizations can be elegantly expressed using rewrite rules of 
form: I T if &phis;, where J, T are intermediate language instructions and Aphis; is a 
property expressed in a temporal logic suitable for describing program data flow. Its 
reading: If the current program n contains an instruction of form J at some control point 
p, and if flow condition &phis; is satisfied at p, then ... 

6 On Hoare logic and Kleene algebra with tests 
Dexter Kozen 

July 2000 ACM Transactions on Computational Logic (TOCL), volume l issue i 
Publisher: ACM Press 

Full text available" fi3 pdfd 34 01 KB) Additional Information: full citation , abstract , references , citings , index 
' ' terms 

We show that Kleene algebra with tests (KAT) subsumes propositional Hoare logic (PHL). 
Thus the specialized syntax and deductive apparatus of Hoare logic are inessential and 
can be replaced by simple equational reasoning. In addition, we show that all relationally 
valid inference rules are derivable in KAT and that deciding the relational validity of such 
rules is PSPACE-complete. 

Keywords: Hoare logic, Kleene algebra, Kleene algebra with tests, dynamic logic, 
specification 
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Peter F. A. Middelhoek, Sreeranga P. Rajan 

April 1996 ACM Transactions on Design Automation of Electronic Systems (TODAES), 

Volume 1 Issue 2 
Publisher: ACM Press 

Full text available* IS pdf(722 99 KB) Additional Information: full citation , abstract , references , citings, index 
' ' terms 

In this article we provide a practical transformational approach to the synthesis of correct 
synchronous digital hardware designs from high-level specifications. We do this while 
taking into account the complete life cycle of a design from early prototype to full custom 
implementation. Besides time-to-market, both flexibility with respect to target 
architecture and efficiency issues are addressed by the methodology. The utilization of 
user-selected behavior-preserving transformation steps e ... 

Keywords: CDFG, SFG, VHDL, correctness by construction, design methodology, rapid 
system prototyping, transformational design 



Rigorous proofs of program correctness without formal log ic 
J. R. Jefferson Wadkins 

March 1995 ACM SIGCSE Bulletin , Proceedings of the twenty-sixth SIGCSE technical 

symposium on Computer science education SIGCSE '95, Volume 27 issue l 
Publisher: ACM Press 

Full text available* fi3 pdf(81 3 14 KB) Add'*' 003 ' Information: full citation , abstract , references , citings , index 

terms 

Three fundamental principles of static reasoning used to write imperative program code 
with built-in proof of its correctness are presented and explained in operational terms. It 
is argued that, although the traditional use of formal logic in the Hoare-Dijkstra-Gries 
methodology is probably the most efficient way to write code with built-in proofs of 
correctness, the ideas underlying that methodology are much simpler than commonly 
perceived through the veil of formal logic and axiomatic sem ... 

9 Object-oriented logical specification of time-critical systems 
Angelo Morzenti, Pierluigi San Pietro 

January 1994 ACM Transactions on Software Engineering and Methodology (TOSEM), 

Volume 3 Issue 1 
Publisher: ACM Press 

Full text available' 1^1 odf(3 05 MB) Additional Information: full citation , abstract , references , citings , index 

terms , review 

We define TRIO+, an object-oriented logical language for modular system specification. 
TRIO+ is based on TRIO, a first-order temporal language that is well suited to the 
specification of embedded and real-time systems, and that provides an effective support 
to a variety of validation activities, like specification testing, simulation, and property 
proof. Unfortunately, TRIO lacks the ability to construct specifications of complex systems 
in a system ... 

Keywords: first-order logic, formal specifications, model-theoretic semantics, object- 
oriented methodologies, real-time systems, temporal logic 



10 Scalable hybrid verification of complex microprocessors 

^ Maher Mneimneh, Fadi Aloul, Chris Weaver, Saugata Chatterjee, Karem Sakallah, Todd 
Austin 

June 2001 Proceedings of the 38th conference on Design automation DAC '01 
Publisher: ACM Press 

Additional Information: full citation , abstract , references , citings , index 
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Full text available: l gpdf(150.33 KB) terms 

We introduce a new verification methodology for modern micro-processors that uses a 
simple checker processor to validate the exe-cution of a companion high-performance 
processor. The checker can be viewed as an at-speed emulator that is formally verified to 
be compliant to an ISA specification. This verification approach en-ables the practical 
deployment of formal methods without impact-ing overall performance. 

11 Consistency in a partitioned network: a survey ! 
Susan B. Davidson, Hector Garcia-Molina, Dale Skeen 
September 1985 ACM Computing Surveys (CSUR), volume 17 issue 3 

Publisher: ACM Press 

Full text available- 1£) pdft3.20MB) Additional Information: full citation, abstract, references, citings, index ' 
^ terms , review 

Recently, several strategies have been proposed for transaction processing in partitioned 
distributed database systems with replicated data. These strategies are surveyed in light 
of the competing goals of maintaining correctness and achieving high availability. 
Extensions and combinations are then discussed, and guidelines are presented for 
selecting strategies for particular applications. 

12 An alg ebra for composing access control policies 
Piero Bonatti, Sabrina De Capitani di Vimercati, Pierangela Samarati 

February 2002 ACM Transactions on Information and System Security (TISSEC), Volume 

5 Issue 1 
Publisher: ACM Press 

Full text available:^ pdf(384.06 KB) Additional ,nformation: ^'citation , references, citings, index 

vzr^-* terms 

Despite considerable advancements in the area of access control and authorization 
languages, current approaches to enforcing access control are all based on monolithic and 
complete specifications. This assumption is too restrictive when access control restrictions 
to be enforced come from the combination of different policy specifications, each possibly 
under the control of independent authorities, and where the specifics of some component 
policies may not even be known apriori. Turning individu ... 

Keywords: Access control, algebra, logic programs, policy composition 



13 A note on the complexity of propositional Hoare logic 
Ernie Cohen, Dexter Kozen 

July 2000 ACM Transactions on Computational Logic (TOCL), Volume l issue l 
Publisher: ACM Press 

Full text available:^ ) pdf(63,86 KB) Additional Information: full citation , abstract , references , index terms 

We provide a simpler alternative proof of the PSPACE-hardness of propositional Hoare 
logic (PHL). 

Keywords: Hoare logic, specification 



14 Essays in computing science 
C. A. R. Hoare 
January 1989 Book 

Publisher: Prentice-Hall, Inc. 

Full text available: ^ pdf(20.91 MB) Additional Information: full citation , abstract , references , cited by, review 
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Charles Antony Richard Hoare is one of the most productive and prolific computer 
scientists. This volume contains a selection of his published papers. There is a need, as in 
a Shakespearian Chorus, to offer some apology for what the book manifestly fails to 
achieve. It is not a complete 'collected works'. Selection between papers of this quality is 
not easy and, given the book's already considerable size, some difficult decisions as to 
what to omit have had to be made. Pity the editor weighin ... 

15 Correctness proofs of distributed termination algorithms 

Krzysztof R. Apt 

June 1986 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 8 Issue 3 
Publisher: ACM Press 

Full text available* IS pdf(1 21 MB) Additional Information: full citation , abstract , references , citings, index 
"™ p terms , review 

The problem of correctness of the solutions to the distributed termination problem of 
Francez [7] is addressed. Correctness criteria are formalized in the customary framework 
for program correctness. A very simple proof method is proposed and applied to show 
correctness of a solution to the problem. It allows us to reason about liveness properties 
of temporal logic (see, e.g., Manna and Pnueli [12]) using a new notion of weak total 
correctness. 

16 Control predicates are better than dummy variables for reasoning about program 

control 
Leslie Lamport 

April 1988 ACM Transactions on Programming Languages and Systems (TOPLAS); 

Volume 10 Issue 2 
Publisher: ACM Press 

i- H4 ,* i ui jss ^ -omd\ Additional Information: full citation , abstract , references , citings , index 
Full text available: TCI pof(1 .12MB) ; : 

^ terms , review 

When explicit control predicates rather than dummy variables are used, the Owicki-Gries 
method for proving safety properties of concurrent programs can be strengthened, 
making it easier to construct the required program annotations. 

17 Quorum consensus in nested transaction systems 
Kenneth J. Goldman, Nancy A. Lynch 

December 1987 Proceedings of the sixth annual ACM Symposium on Principles of 
distributed computing PODC '87 

Publisher: ACM Press 

Full text available: ^ pdf(1.73MB) Additional Information: full citation , references , citings , index terms 



18 Reasoning about systems with many processes 
Steven M. German, A. Prasad Sistla 
July 1992 Journal of the ACM (JACM), Volume 39 issue 3 

Publisher: ACM Press 

Additional Information: full citation , abstract , references , citings , index 



Full text available: ■ , , _ . v . . . 

^ terms 

Methods are given for automatically verifying temporal properties of concurrent systems 
containing an arbitrary number of finite-state processes that communicate using CCS 
actions. TWo models of systems are considered. Systems in the first model consist of a 
unique control process and an arbitrary number of user processes with identical 
definitions. For this model, a decision procedure to check whether all the executions of a 
process satisfy a given specifi ... 
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19 Sim ple relational correctness proofs for static analyses and program transformations 
Nick Benton 

January 2004 ACM SIGPLAN Notices , Proceedings of the 31st ACM SIGPLAN-SIGACT 
symposium on Principles of programming languages POPL '04, Volume 39 
Issue 1 
Publisher: ACM Press 



Full text available: Pdfd 39.63 KB) 



Additional Information: full citation , abstract , references , citings, index 
terms 



We show how some classical static analyses for imperative programs, and the optimizing 
transformations which they enable, may be expressed and proved correct using 
elementary logical and denotationaltechniques. The key ingredients are an interpretation 
of program properties as relations, rather than predicates, and a realization that although 
many program analyses are traditionally formulated in very intensional terms, the 
associated transformations are actually enabled by more liberal extension ... 

Keywords: Hoare logic, denotational semantics, dependency, information flow, 
optimizing compilation, partial equivalence relations, program analysis, security, types 
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Debra J. Richardson, Stephanie Leif Aha, T. Owen O'Malley 
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1 Substructural logic and partial correctness 
Dexter Kozen, Jerzy Tiuryn 

July 2003 ACM Transactions on Computational Logic (TOCL), Volume 4 issue 3 
Publisher: ACM Press 

Full text available: ^) pdf(1 99.74 KB) Additional Information: full citation , abstract , references , index terms 

We formulate a noncommutative sequent calculus for partial correctness that subsumes 
propositional Hoare Logic. Partial correctness assertions are represented by intuitionistic 
linear implication. We prove soundness and completeness over relational and trace 
models. As a corollary, we obtain a complete sequent calculus for inclusion and 
equivalence of regular expressions. 

Keywords: Dynamic logic, Hoare logic, Kleene algebra, Kleene algebra with tests, linear 
logic, sequent calculus, specification, substructural logic 



2 High level specification and desi g n: Achieving maximum performance: a method for 

the verification of interlocked pipeline control logic 
Kerstin Eder, Geoff Barrett 

June 2002 Proceedings of the 39th conference on Design automation DAC '02 
Publisher: ACM Press 

Full text available:.^ pdf(82,28 KB) Additional Information: full citation , abstract , references , index terms 

Getting the interlock logic which controls pipeline flow correct is an important prerequisite 
for maximising pipeline performance. Unnecessary pipeline stalls can only be eliminated 
when they can be distinguished from those stalls which are necessary to preserve 
functional correctness. Typically, designers know when these necessary stalls should 
occur. We propose a method for deriving a maximum pipeline performance specification 
from a complete functional specification of the pipeline control log ... 



Keywords: interlock logic, pipeline stall, verification 



3 Processor verification using efficient reductions of the lo g ic of uninterpreted function s §§ 
to propositional logic 

Randal E. Bryant, Steven German, Miroslav N. Velev 

January 2001 ACM Transactions on Computational Logic (TOCL), Volume 2 issue l 
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Publisher: ACM Press 

Full text available- ff |pdf(319 93 KB) Additiona ' Information: full citation , abstract , references , citings , index 

terms 

The logic of Equality with Uninterpreted Functions (EUF) provides a means of abstracting 
the manipulation of data by a processor when verifying the correctness of its control logic. 
By reducing formulas in this logic to propositional formulas, we can apply Boolean 
methods such as ordered Binary Decision Diagrams (BDDs) and Boolean satisfiability 
checkers to perform the verification. We can exploit characteristics of the formulas 
describing the verification conditions to greatly simplfy the ... 

Keywords: decision procedures, processor verfication, uninterpreted functions 



4 Automatic generation and verification of sufficient correctness properties for 
synchronous processors 

Filip Van Aelten, Stan Y. Liao, Jonathan Allen, Srinivas Devadas 

November 1992 Proceedings of the 1992 IEEE/ ACM international conference on 

Computer-aided design ICCAD '92 
Publisher: IEEE Computer Society Press 

Full text available: pdf(531.64 KB) Additional Information: full citation , references , citings , index terms 



Proving correctness of compiler optimizations by temporal logic 
David Lacey, Neil D. Jones, Eric Van Wyk, Carl Christian Frederiksen 

January 2002 ACM SIGPLAN Notices , Proceedings of the 29th ACM SIGPLAN-SIGACT 
symposium on Principles of programming languages POPL '02, Volume 37 
Issue 1 
Publisher: ACM Press 

Full text available:^ pdf(263.36 KB) Additional Information: full citation , abstract , references , citings 

Many classical compiler optimizations can be elegantly expressed using rewrite rules of 
form: I => F if &phis; f where I, T are intermediate language instructions and &phis; is a 
property expressed in a temporal logic suitable for describing program data flow. Its 
reading: If the current program n contains an instruction of form / at some control point 
p, and if flow condition &phis; is satisfied at p, then ... 

6 On Hoare logic and Kleene algebra with tests 
Dexter Kozen 

July 2000 ACM Transactions on Computational Logic (TOCL), Volume l issue l 
Publisher: ACM Press 

Full text available - fSi pdfd 34 01 KB) Ac ' d ' t ' ona, Information: full citation , abstract , references , citings , index 

terms 

We show that Kleene algebra with tests (KAT) subsumes propositional Hoare logic (PHL). 
Thus the specialized syntax and deductive apparatus of Hoare logic are inessential and 
can be replaced by simple equational reasoning. In addition, we show that all relationally 
valid inference rules are derivable in KAT and that deciding the relational validity of such 
rules is PSPACE-complete. 

Keywords: Hoare logic, Kleene algebra, Kleene algebra with tests, dynamic logic, 
specification 
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Peter F. A. Middelhoek, Sreeranga P. Rajan 

April 1996 ACM Transactions on Design Automation of Electronic Systems (TODAES), 

Volume 1 Issue 2 
Publisher: ACM Press 

Full text available: « pdf(722.99 KB^ Additional Information: full citation , abstract, references , citings, index 
^ terms 

In this article we provide a practical transformational approach to the synthesis of correct 
synchronous digital hardware designs from high-level specifications. We do this while 
taking into account the complete life cycle of a design from early prototype to full custom 
implementation. Besides time-to-market, both flexibility with respect to target 
architecture and efficiency issues are addressed by the methodology. The utilization of 
user-selected behavior-preserving transformation steps e ... 

Keywords: CDFG, SFG, VHDL, correctness by construction, design methodology, rapid 
system prototyping, transformational design 



Rigorous proofs of program correctness without formal logic 
3. R. Jefferson Wadkins 

March 1995 ACM SIGCSE Bulletin , Proceedings of the twenty-sixth SIGCSE technical 

symposium on Computer science education SIGCSE '95, Volume 27 issue l 
Publisher: ACM Press 

Full text available:f q P df(813.14KB) Addjtional ^formation: full citation , abstract, references , citings, index 
^ terms 

Three fundamental principles of static reasoning used to write imperative program code 
with built-in proof of its correctness are presented and explained in operational terms. It 
is argued that, although the traditional use of formal logic in the Hoare-Dijkstra-Gries 
methodology is probably the most efficient way to write code with built-in proofs of 
correctness, the ideas underlying that methodology are much simpler than commonly 
perceived through the veil of formal logic and axiomatic sem ... 

9 Object-oriented logical specification of time-critical systems 
Angelo Morzenti, Pierluigi San Pietro 

January 1994 ACM Transactions on Software Engineering and Methodology (TOSEM), 

Volume 3 Issue 1 
Publisher: ACM Press 

c I., ^ , kl « . fnn ,., D , Additional Information: full citation , abstract , references , citings, index 

Full text available: T£\ pdf(3.05 MB) ; : 

terms , review 

We define TRIO+, an object-oriented logical language for modular system specification. 
TRIO+ is based on TRIO, a first-order temporal language that is well suited to the 
specification of embedded and real-time systems, and that provides an effective support 
to a variety of validation activities, like specification testing, simulation, and property 
proof. Unfortunately, TRIO lacks the ability to construct specifications of complex systems 
in a system ... 

Keywords: first-order logic, formal specifications, model-theoretic semantics, object- 
oriented methodologies, real-time systems, temporal logic 
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Publisher: ACM Press 
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Full text available: ^) pdf(1 50.33 KB) terms 

We introduce a new verification methodology for modern micro-processors that uses a 
simple checker processor to validate the exe-cution of a companion high-performance 
processor. The checker can be viewed as an at-speed emulator that is formally verified to 
be compliant to an ISA specification. This verification approach en-ables the practical 
deployment of formal methods without impact-ing overall performance. 

11 Consistency in a partitioned network: a survey 
Susan B. Davidson, Hector Garcia-Molina, Dale Skeen 
September 1985 ACM Computing Surveys (CSUR), volume 17 issue 3 

Publisher: ACM Press 

Full text available* fp) pdf(3.20 MB) Additional Information: full citation , abstract , references , citings, index 

terms , review 

Recently, several strategies have been proposed for transaction processing in partitioned 
distributed database systems with replicated data. These strategies are surveyed in light 
of the competing goals of maintaining correctness and achieving high availability. 
Extensions and combinations are then discussed, and guidelines are presented for 
selecting strategies for particular applications. 

12 An algebra for composing access control policies 
Piero Bonatti, Sabrina De Capitani di Vimercati, Pierangela Samarati 

February 2002 ACM Transactions on Information and System Security (TISSEC), volume 

5 Issue 1 
Publisher: ACM Press 

Full text available:^ pdf(384.06 KB) Additional Information: full citation , abstract, references, citings, index 
" terms 

Despite considerable advancements in the area of access control and authorization 
languages, current approaches to enforcing access control are all based on monolithic and 
complete specifications. This assumption is too restrictive when access control restrictions 
to be enforced come from the combination of different policy specifications, each possibly 
under the control of independent authorities, and where the specifics of some component 
policies may not even be known apriori. Turning individu ... 

Keywords: Access control, algebra, logic programs, policy composition 



13 A note on the complexity of propositional Hoare logic 
Ernie Cohen, Dexter Kozen 

July 2000 ACM Transactions on Computational Logic (TOCL), Volume l issue l 
Publisher: ACM Press 

Full text available: pdf(63>86 KB) Additional Information: full citation , abstract , references , index terms 

We provide a simpler alternative proof of the PSPACE-hardness of propositional Hoare 
logic (PHL). 

Keywords: Hoare logic, specification 
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Charles Antony Richard Hoare is one of the most productive and prolific computer 
scientists. This volume contains a selection of his published papers. There is a need, as in 
a Shakespearian Chorus, to offer some apology for what the book manifestly fails to 
achieve. It is not a complete 'collected works'. Selection between papers of this quality is 
not easy and, given the book's already considerable size, some difficult decisions as to 
what to omit have had to be made. Pity the editor weighin ... 

15 Correctness proofs of distributed termination algorithms 
Krzysztof R. Apt 

June 1986 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 8 Issue 3 
Publisher: ACM Press 

Full text available* pdf(1.21 MB) Additional Information: full citation , abstract , references , citings, index 

terms , review 

The problem of correctness of the solutions to the distributed termination problem of 
Francez [7] is addressed. Correctness criteria are formalized in the customary framework 
for program correctness. A very simple proof method Is proposed and applied to show 
correctness of a solution to the problem. It allows us to reason about liveness properties 
of temporal logic (see, e.g., Manna and Pnueli [12]) using a new notion of weak total 
correctness. 

16 Control predicates are better than dummy variables for reasoning about program 
control 
Leslie Lamport 

April 1988 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 10 Issue 2 
Publisher: ACM Press 

Full text available* fi£| pdf(1.12 MB) Additional Information: full citation , abstract , references , citings , index 
' " terms, review 

When explicit control predicates rather than dummy variables are used, the Owicki-Gries 
method for proving safety properties of concurrent programs can be strengthened, 
making it easier to construct the required program annotations. 

17 Quorum consensus in nested transaction systems 
Kenneth J. Goldman, Nancy A. Lynch 

December 1987 Proceedings of the sixth annual ACM Symposium on Principles of 
distributed computing PODC '87 

Publisher: ACM Press 

Full text available: fiCI pdf(1.73 MB) Additional Information: full citation , references , citings , index terms 



18 Reasoning about systems with many processes 
Steven M. German, A. Prasad Sistla 

July 1992 Journal of the ACM ( JACM), Volume 39 Issue 3 
Publisher: ACM Press 

Full text available- fi3 pdf(4 54 MB) Additional Information: full citation , abstract , references , citings , index 
*™ terms 

Methods are given for automatically verifying temporal properties of concurrent systems 
containing an arbitrary number of finite-state processes that communicate using CCS 
actions. TWo models of systems are considered. Systems in the first model consist of a 
unique control process and an arbitrary number of user processes with identical 
definitions. For this model, a decision procedure to check whether all the executions of a 
process satisfy a given specifi ... 
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19 Sim ple relational correctness proofs for static analyses and program transformations 
Nick Benton 

January 2004 ACM SIGPLAN Notices , Proceedings of the 31st ACM SIG PLAN -SIG ACT 
symposium on Principles of programming languages POPL '04, Volume 39 
Issue 1 
Publisher: ACM Press 

Full text available' fjfl pdf(1 39 63 KB) A^'*' 0031 Information: full citation , abstract , references , citings, index 

terms 

We show how some classical static analyses for imperative programs, and the optimizing 
transformations which they enable, may be expressed and proved correct using 
elementary logical and denotationaltechniques. The key ingredients are an interpretation 
of program properties as relations, rather than predicates, and a realization that although 
many program analyses are traditionally formulated in very intensional terms, the 
associated transformations are actually enabled by more liberal extension ... 

Keywords: Hoare logic, denotational semantics, dependency, information flow, 
optimizing compilation, partial equivalence relations, program analysis, security, types 
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1 On the correctness of orphan management algorithms 
Maurice Herlihy, Nancy Lynch, Michael Merritt, William Weihl 
October 1992 Journal of the ACM (JACM), Volume 39 issue 4 

Publisher: ACM Press 

Additional Information: full citation , abstract , references , citings , index 
terms 



Full text available: pdf(3.83 MB) 



In a distributed system, node failures, network delays, and other unpredictable 
occurences can result in orphan computations— subcomputations that continue to run but 
whose results are no longer needed. Several algorithms have been proposed to prevent 
such computations from seeing inconsistent states of the shared data. In this paper, two 
such orphan management algorithms are analyzed. The first is an algorithm implemented 
in the Argus distributed-computing system at M ... 

Keywords: Argus, atomic actions, avalon, camelot, input-output automata, recovery, 
serializability 



Model checking and modular verification 
Orna Grumberg, David E. Long 

May 1994 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 16 Issue 3 
Publisher: ACM Press 

Full text available* f^ pdf(1.87 MB) Additional Information: full citation , abstract , references , citings, index 
" ^ terms , review 

We describe a framework for compositional verification of finite-state processes. The 
framework is based on two ideas: a subset of the logic CTL for which satisfaction is 
preserved under composition, and a preorder on structures which captures the relation 
between a component and a system containing the component. Satisfaction of a formula 
in the logic corresponds to being below a particular structure (a tableau for the formula) 
in the preorder. We show how to do assume-guarantee-style reas ... 

Keywords: CTL, Moore machines, computer-aided verification, formal verification, model 
checking, temporal logics 
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Full text available- f£\ odf(442 86 KB) Add ' tiona l Information; full citation , abstract , references , citings , index 

: terms 

We review the existing literature on Java safety, emphasizing formal approaches, and the 
impact of Java safety on small footprint devices such as smartcards. The conclusion is 
that although a lot of good work has been done, a more concerted effort is needed to 
build a coherent set of machine-readable formal models of the whole of Java and its 
implementation. This is a formidable task but we believe it is essential to build trust in 
Java safety, and thence to achieve ITSEC level 6 or Common Crite ... 

Keywords: Common criteria, programming 



Security as a safety issue in rail communications 
J. Smith, S. Russell, M. Looi 

October 2003 Proceedings of the 8th Australian workshop on Safety critical systems 

and software - Volume 33 SCS '03 
Publisher: Australian Computer Society, Inc. 

Full text available: *^ [pdf(301.67 KB) Additional Information: full citation , abstract , references , index terms 

Systems whose failure can lead to the damage of property or the environment, or loss of 
human life are regarded as safety-critical systems. It is no longer adequate to build 
safety-critical systems based on the control of errors and failures alone. Safety-critical 
systems must also deal with securing the data that is used in their operation. While safety 
and security engineering have evolved separately, there are a number of similarities. 
These similarities and efforts to integrate safety and se ... 

Keywords: formal methods, rail control, safety-critical systems, security, system safety 



Evaluation of safety-critical software 
David L. Parnas, A. John van Schouwen, Shu Po Kwan 
June 1990 Communications of the ACM, Volume 33 issue 6 
Publisher: ACM Press 

Full text available* f%"l pdf(1.62 MB) Additional Information: fuil citation , abstract , references , citings, index 

terms , review 

Methods and approaches for testing the reliability and trustworthiness of software remain 
among the most controversial issues facing this age of high technology. The authors 
present some of the crucial questions faced by software programmers and eventual users. 
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October 2002 Proceedings of the 2002 international conference on Compilers, 
architecture, and synthesis for embedded systems CASES '02 

Publisher: ACM Press 

Full text available' fi!1 pdf(127 10 KB) Additional Information: full citation , abstract, references , citings, index 
^ terms 

This paper considers the problem of providing safe programming support and enabling 
secure online software upgrades for control software in real-time control systems. In such 
systems, offline techniques for ensuring code safety are greatly preferable to online 
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techniques. We propose a language called Control-C that is essentially a subset of C, but 
with key restrictions designed to ensure that memory safety of code can be verified 
entirely by static checking, under certain system assumpti ... 

Keywords: compiler, control, programming language, real-time, security, static analysis 



Resourceful systems for fault tolerance, reliability, and safety j 
^ Russell J. Abbott 

March 1990 ACM Computing Surveys (CSUR), Volume 22 issue l 

Publisher: ACM Press 

Full text available- fSl pdf(3 36 MB) Additional Information: full citation , abstract , references , citings , index 
* l2d terms , review 

Above all, it is vital to recognize that completely guaranteed behavior is impossible and 
that there are inherent risks in relying on computer systems in critical environments. The 
unforeseen consequences are often the most disastrous [Neumann 1986]. Section 1 of 
this survey reviews the current state of the art of system reliability, safety, and fault 
tolerance. The emphasis is on the contribution of software to these areas. Section 2 
reviews current approaches to software fault ... 

8 Software safety: why, what, and how ( 
rfjt^ Nancy G. Leveson 

^ June 1986 ACM Computing Surveys (CSUR), volume 18 issue 2 
Publisher: ACM Press 

ui « ma -to ii/iDx Additional Information: full citation , abstract , references , citings , index 
Full text available: TC I pof(4.lo MB) ; ~ 

^ terms , review 

Software safety issues become important when computers are used to control real-time, 
safety-critical processes. This survey attempts to explain why there is a problem, what 
the problem is, and what is known about how to solve it. Since this is a relatively new 
software research area, emphasis is placed on delineating the outstanding issues and 
research topics. 
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^ Milo M. K. Martin, Mark D. Hill, David A. Wood 

V May 2003 ACM SIGARCH Computer Architecture News , Proceedings of the 30th 

annual international symposium on Computer architecture ISCA '03, volume 
31 Issue 2 
Publisher: ACM Press 

Full text available: ^ [pdf(269.Q8 KB) Additional Information: full citation , abstract , references , citings 

Many future shared-memory multiprocessor servers will both target commercial 
workloads and use highly-integrated "glueless" designs. Implementing low-latency cache 
coherence in these systems is difficult, because traditional approaches either add 
indirection for common cache-to-cache misses (directory protocols) or require a totally- 
ordered interconnect (traditional snooping protocols). Unfortunately, totally-ordered 
interconnects are difficult to implement in glueless designs. An ideal coherenc ... 

10 Formal verification in hardware design: a survey I 
Christoph Kern, Mark R. Greenstreet 

April 1999 ACM Transactions on Design Automation of Electronic Systems (TODAES), 

Volume 4 Issue 2 / 
Publisher: ACM Press 

Full text available* f B pdf(41 1 53 KB) Additional Information: full citation , abstract , references , citings, index 

: terms 

In recent years, formal methods have emerged as an alternative approach to ensuring the 
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quality and correctness of hardware designs, overcoming some of the limitations of 
traditional validation techniques such as simulation and testing. There are two main 
aspects to the application of formal methods in a design process: the formal framework 
used to specify desired properties of a design and the verification techniques and tools 
used to reason about the relationship between a spec ... 

Keywords: case studies, formal methods, formal verification, hardware verification, 
language containment, model checking, survey, theorem proving 
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management systems: the case of conflict resolution and recovery 

Ricky Butler, Jeffrey Maddalon, Alfons Geser, Cesar Munoz 

December 2003 Proceedings of the 35th conference on Winter simulation: driving 
innovation WSC '03 

Publisher: Winter Simulation Conference 

Full text available: ^| pdfd 99.07 KB) Additional Information: full citation , abstract , references 

New air traffic management concepts distribute the responsibility for traffic separation 
among the several actors of the aerospace system. As a consequence, these concepts 
move the safety risk from human controllers to the onboard software and hardware 
systems. One example of the new kind of distributed systems is air traffic conflict 
detection and resolution. Traditional methods for safety analysis such as human-in-the- 
loop simulations, testing, and flight experiments may not be sufficient i ... 

14 Lutess: a specification-driven testing environment for synchronous software Q 
L. du Bousquet, F. Ouabdesselam, J.-L. Richier, N. Zuanon 

May 1999 Proceedings of the 21st international conference on Software engineering 
ICSE '99 

Publisher: IEEE Computer Society Press 
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15 On developing and verifying design abstractions for reliable concurrent programming Q 
in Ada 

A. Burns, A. J. Wellings, A. M. Koelmans, M. Koutny, A. Romanovsky, A. Yakovlev 
March 2001 ACM SIGAda Ada Letters , Proceedings of the 10th international 
workshop on Real-time Ada workshop IRTAW '00, volume xxi issue l 
Publisher: ACM Press 

Full text available: ^ pdf(633.46 KB) Additional Information: full citation , abstract 

Ada 95 is an expressive concurrent programming language, which allows building large 
multi-tasking applications. Much of the complexity of these applications stems from the 
interactions between the tasks. Design abstractions (such as atomic actions, 
conversations etc.) have been proposed to deal with such complexity. This paper argues 
that Petri nets offer a promising, tool-supported, technique for checking the logical 
correctness of abstractions. The paper illustrates the effectiveness of this ... 

16 Selected writings on computing: a personal perspective Q 
Edsger W. Dijkstra 

January 1982 Book 

Publisher: Springer-Verlag New York, Inc. 

Full text available- ffi pdff60.98MBl Additional Information: full citation , abstract, references , citedby, index 
^ terms 

Since the summer of 1973, when I became a Burroughs Research Fellow, my life has 
been very different from what it had been before. The daily routine changed: instead of 
going to the University each day, where I used to spend most of my time in the company 
of others, I now went there only one day a week and was most of the time that is, when 
not travelling!- alone in my study. In my solitude, mail and the written word in general 
became more and more important. The circumstance that my employe ... 

17 Synthesis of fault-tolerant concurrent programs Q 
Paul C. Attie, Anish Arora, E. Allen Emerson 

January 2004 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 26 Issue 1 
Publisher: ACM Press 

Full text available: < g| pdf(419.95 KB) Additional Information: full citation , abstract , references , index terms 

Methods for mechanically synthesizing concurrent programs from temporal logic 
specifications obviate the need to manually construct a program and compose a proof of 
its correctness. A serious drawback of extant synthesis methods, however, is that they 
produce concurrent programs for models of computation that are often unrealistic. In 
particular, these methods assume completely fault-free operation, that is, the programs 
they produce are fault-intolerant. In this paper, we show how to mechanical ... 

Keywords: Concurrent programs, fault-tolerance, program synthesis, specification, 
temporal logic 
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January 1982 Book 

Publisher: Addison-Wesley Longman Publishing Co., Inc. 
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From the Preface (See Front Matter for full Preface) 

Electronic computers have evolved from exiguous experimental enterprises in the 1940s 
to prolific practical data processing systems in the 1980s. As we have come to rely on 
these systems to process and store data, we have also come to wonder about their ability 
to protect valuable data. 



Data security is the science and study of methods of protecting data in computer and 
communication systems from unauthorized disclosure ... 

19 Verification techniques for cache coherence protocols 
Fong Pong, Michel Dubois 

March 1997 ACM Computing Surveys (CSUR), volume 29 issue l 
Publisher: ACM Press 

Full text available- IS pdfd 25 MB) Additional Information: full citation , abstract , references , citings, index 
■1S P terms 

In this article we present a comprehensive survey of various approaches for the 
verification of cache coherence protocols based on state enumeration, (symbolic model 
checking, and symbolic state models. Since these techniques search the state space of 
the protocol exhaustively, the amount of memory required to manipulate that state 
information and the verification time grow very fast with the number of processors and 
the complexity of the protocol mechanism ... 

Keywords: cache coherence, finite state machine, protocol verification, shared-memory 
multiprocessors, state representation and expansion 



20 Architecture: Levera g ing cache coherence in active memory systems 
Daehyun Kim, Mainak Chaudhuri, Mark Heinrich 

June 2002 Proceedings of the 16th international conference on Supercomputing ICS 
'02 

Publisher: ACM Press 

Additional Information: full citation , abstract , references , citings , index 
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Full text available: 1 



Active memory systems help processors overcome the memory wall when applications 
exhibit poor cache behavior. They consist of either active memory elements that perform 
data parallel computations in the memory system itself, or an active memory controller 
that supports address re-mapping techniques that improve data locality. Both active 
memory approaches create coherence problems— even on uniprocessor systems— since 
there are either additional processors operating on the data directly, or the ... 

Keywords: active memory, address re-mapping, cache coherence 
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